Method and computer device to control software file downloads

ABSTRACT

A computer device includes a download unit which downloads one or more files into a storage device. A file logging unit records a resource locator identifying a source network location of the file, when the file is downloaded, and associates the resource locator with a first fingerprint of the file. A system policy unit stores the resource locator associated with a process control policy relevant to the file. A process control unit is arranged to obtain a second fingerprint of the file upon launching a process in a runtime execution environment, retrieve the resource locator from the file logging unit by matching the second fingerprint with the first fingerprint, retrieve the process control policy from the system policy unit according to the retrieved resource locator, and selectively apply process execution privileges which determine execution of the process in the runtime execution environment according to the retrieved process control policy.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/689,614, filed Nov. 29, 2012, entitled METHOD AND COMPUTER DEVICE TOCONTROL SOFTWARE FILE DOWNLOADS, which claims priority from foreignapplication GB1120611.7, entitled METHOD AND COMPUTER DEVICE TO CONTROLSOFTWARE FILE DOWNLOADS, filed in the United Kingdom on Nov. 30, 2011.Each of the foregoing applications is hereby incorporated by referenceherein in its entirety.

TECHNICAL FIELD

The present invention relates generally to the field of computers andcomputer devices. More particularly, the present invention relates to amethod and apparatus for controlling downloaded software files.

BACKGROUND

A computer device often needs to download and install new software.Typically, the new software is provided as one or more files, which aredownloaded by the computer device from a location on a network, such asa local area network (LAN) or the Internet.

It is well known that downloaded software presents a significant risk tothe security and reliability of the computer device, by exposing thecomputer device to unwanted software such as infections and malware(malicious software). Therefore, there is a need to provide a mechanismto control the downloading of software files to a computer device.

The exemplary embodiments have been provided with a view to addressingat least some of the difficulties that are encountered in currentcomputer devices, whether those difficulties have been specificallymentioned above or will otherwise be appreciated from the discussionherein.

SUMMARY

According to the present invention there is provided a computer device,a method and a computer-readable storage medium as set forth in theappended claims. Other, optional, features of the invention will beapparent from the dependent claims, and the description which follows.

At least some of the following exemplary embodiments provide an improvedmechanism for downloading software files to a computer device. There nowfollows a summary of various aspects and advantages according toembodiments of the invention. This summary is provided as anintroduction to assist those skilled in the art to more rapidlyassimilate the detailed discussion herein and does not and is notintended in any way to limit the scope of the claims that are appendedhereto.

In one example aspect there is provided a computer device comprising afile logging unit arranged to record a resource locator identifying asource network location of a file when the file is downloaded to astorage unit of the computer device, and to associate the resourcelocator with a first fingerprint of the file, a system policy unitarranged to store the resource locator associated with a process controlpolicy relevant to the file, and a process control unit arranged toobtain a second fingerprint of the file upon launching a process in aruntime execution environment based on the file, retrieve the resourcelocator from the file logging unit by matching the second fingerprintwith the first fingerprint, retrieve the process control policy from thesystem policy unit according to the retrieved resource locator, andselectively apply process execution privileges which determine executionof the process in the runtime execution environment according to theretrieved process control policy.

In one aspect, the process control unit is arranged to selectively allowor deny execution of the process in the runtime execution environmentaccording to the process control policy.

In one aspect, the process control unit is further arranged todynamically grant elevated execution privileges to the process whenspecified by the process control policy.

In one aspect, the process control unit is further arranged todynamically grant local administrator privileges to the process whenspecified by the process control policy.

In one aspect, the system policy unit is arranged to store a pluralityof predetermined resource locators each associated with a respectiveprocess control policy.

In one aspect, each process control policy determines executionprivileges of the files downloaded from the source network locationidentified by the respective resource locator.

In one aspect, the file logging unit is arranged to record the resourcelocator each time a file is downloaded to the computer device, therebylogging the resource locator and the fingerprint related to eachdownloaded file.

In one aspect, the computer device further includes a download unitwhich downloads the one or more files into the storage device. In oneaspect, the download unit comprises a browser.

In one aspect, the file logging unit is applied within a browser of thecomputer device used to download the files to the computer device from anetwork. In one aspect, the file logging unit is a plug-in to thebrowser.

In one aspect, the file logging unit is arranged to obtain thefingerprint of the file as a cryptographic hash.

In one aspect, the process control unit includes a dynamic linkedlibrary which is hooked into the process upon starting the process inthe runtime execution environment.

In one aspect, the process control unit intercepts a call made to anapplication programming interface to an operating system of the computerdevice to create a new process.

In one aspect, the process control unit is a kernel driver within anoperating system of the computer device and is arranged to intercept acall made through an application programming interface to the operatingsystem of the computer device to create a new process.

In one aspect, the process control unit is a kernel driver within anoperating system of the computer device and is arranged to receive anotification when a new process starts.

In one example aspect there is provided a method of controllingdownloaded files in a computer device, the method including the steps ofrecording a resource locator identifying a source network location of afile when the file is downloaded to the computer device, associating theresource locator with a first fingerprint of the file; providing aprocess control policy relevant to the file, wherein the process controlpolicy is associated with the resource locator, obtaining a secondfingerprint of the file upon launching a process in a runtime executionenvironment based on the file, retrieving the resource locator accordingto the second fingerprint and the first fingerprint, retrieving theprocess control policy according to the retrieved resource locator, andselectively applying process execution privileges which determineexecution of the process according to the retrieved process controlpolicy.

In one example aspect there is provided a computer-readable storagemedium having instructions recorded thereon which, when implemented by acomputer device, cause the computer device to be arranged as set forthherein and/or which cause the computer device to perform the method asset forth herein.

At least some embodiments of the invention may be constructed, partiallyor wholly, using dedicated special-purpose hardware. Terms such as‘component’, ‘module’ or ‘unit’ used herein may include, but are notlimited to, a hardware device, such as a Field Programmable Gate Array(FPGA) or Application Specific Integrated Circuit (ASIC), which performscertain tasks. Alternatively, elements of the invention may beconfigured to reside on an addressable storage medium and be configuredto execute on one or more processors. Thus, functional elements of theinvention may in some embodiments include, by way of example,components, such as software components, object-oriented softwarecomponents, class components and task components, processes, functions,attributes, procedures, subroutines, segments of program code, drivers,firmware, microcode, circuitry, data, databases, data structures,tables, arrays, and variables. Further, although the exemplaryembodiments have been described with reference to the components,modules and units discussed below, such functional elements may becombined into fewer elements or separated into additional elements.

BRIEF DESCRIPTION OF THE DRAWINGS

For a better understanding of the invention, and to show how exemplaryembodiments may be carried into effect, reference will now be made tothe accompanying drawings in which:

FIG. 1 is a schematic overview of example computer devices in which theexemplary embodiments may be applied;

FIG. 2 is a schematic diagram showing the example computer device and arelated method;

FIG. 3 is a schematic diagram showing the example computer device inmore detail concerning a process privilege management mechanism;

FIG. 4 is a schematic diagram showing an example operating system of thecomputer device in more detail; and

FIG. 5 is a schematic diagram showing the example computer device inmore detail concerning a hook and service mechanism.

DETAILED DESCRIPTION

The exemplary embodiments of the present invention will be discussed indetail in relation to Microsoft™ Windows™ operating systems. However,the teachings, principles and techniques of the present invention arealso applicable in other exemplary embodiments. For example, theexemplary embodiments are also applicable to other operating systems.

FIG. 1 is a schematic overview of a computer device 200 according to anexemplary embodiment of the present invention. In this example, the hostcomputer device 200 includes physical hardware (H/W) 201 such as memory,processors, I/O interfaces, backbone, power supply and so on. Anoperating system (OS) 202 provides a multitude of components, modulesand units that coordinate to provide a runtime environment (RTE) 203which supports execution of a plurality of processes, including one ormore user processes (USRP) 120. The processes 120 may relate to one ormore application programs (APP) 150 which the user desires to execute onthe computer device 200.

As illustrated in FIG. 1, the computer device 200 may take any suitableform. As one example, the computer device 200 is a relatively powerfulserver computer. In another example, the computer device 200 is auser-oriented computer device such as a desktop PC. As another example,the computer device 200 is a portable user-oriented computer device suchas a laptop computer, notebook, webbook, tablet, PDA or smartphone. Asfurther examples, the computer device 200 may have other form factors orbe incorporated within another device, such as an entertainment devicefor video and/or audio processing or output (gaming device, set-top box,television, music player).

As shown in FIG. 1, the computer device 200 employs a resource locator300 which identifies a location 301 within a network 100 where one ormore files 302 are located. For example, a network based on Internetprotocols may use a uniform resource locator (URL) with syntaxconsistent with RFC3986. The computer device 200 may then download thedesired file or files 302 from the source location 301 and save thesefiles in a storage unit 205 which is accessible locally to the computerdevice 200, such as a local hard drive or solid state storage (e.g.Flash RAM).

FIG. 2 is a schematic diagram showing the example computer device 200 inmore detail. A download unit (DU) 210 is arranged to download the files302 onto the storage unit 205. In one example, the download unit 210comprises an Internet browser. As will be familiar to those skilled inthe art, the download unit 210 searches for and retrieves the files 302across the network 100 from the location 301 specified by the resourcelocator (URL) 300.

As shown in FIG. 2, the example computer device 200 may further comprisea file logging unit (FLU) 220, a system policy unit (SPU) 230, and aprocess control unit (PCU) 240.

In one example embodiment, the file logging unit 220 is suitablyprovided as a component associated with the download unit 210. In oneembodiment, the file logging unit 220 is a plug-in to the Internetbrowser 210. The file logging unit 220 is arranged to record the URL 300each time one of the files 302 is downloaded. Also, when a file downloadprocess has been completed, the file logging unit 220 obtains afingerprint 303 of the newly downloaded file 302. The URL 300 and thefingerprint 303 are stored together by the file logging unit 220. Forexample, the file logging unit 220 may store the URL 300 and the relatedfile fingerprint 303 securely within a table or database locally withinthe computer device 200. Alternately, the file logging unit 220 mayexport the URL and fingerprint to another suitable location on thenetwork 100, such as a database on a file logging server (not shown). Acentrally accessible logging database or logging lookup tableadvantageously allows data to be combined from many different individualcomputer devices 200 and shared commonly between them. Also, the centralfile logging server allows users to roam between computers or to sharedownloads with other users.

The fingerprint 303 is suitably a hash. The hash may be a cryptographichash. In one example, the fingerprint is taken using the SHA-1 hashingalgorithm. However, many other fingerprinting and hashing algorithms arealso available and may be applied in other example embodiments.

In the following example embodiments, the system policy unit 230 isprovided locally within the computer device 200, as will be furtherexplained below. In another example embodiment, the system policy unit230 may be provided at a remote location such as on a system policyserver (not shown) which is in communication with the computer device200 across the network 100.

The system policy unit 230 stores a plurality of resource locators (URL)300. Each URL 300 is associated with a process control policy 305.Suitably, the URLs 300 and the policies 305 stored by the system policyunit 230 are determined and defined in advance. Thus, an administratormay determine URLs of interest and set a policy appropriate to each URLor group of URLs. Each policy 305 is used to control execution ofprocesses on the computer device 200 relevant to the files 302downloaded from that determined location.

The process control unit (PCU) 240 is provided to selectively enforcethe policies 305 stored in the system policy unit 230. In the exampleembodiments, the process control unit 240 is arranged to retrieve arelevant policy 305 when a process is started or launched into theruntime execution environment (RTE) 203. The process control unit 240suitably allows, or denies, execution of the process according to thepredetermined policy 305.

In operation, the download unit 210 downloads the file or files 302. Atstep 1, the file logging unit 220 records the relevant URL 300indicating the network location 301 as the source of the downloaded file302, and the fingerprint 303 of the downloaded file 302. Later, at step2, a user process 120 is started with respect to the downloaded files302 which will cause the downloaded file or files 302 to be executed onthe computer device 200. For example, an executable file or a softwareinstallation package is launched. It is possible that the downloadedfiles 302 are stored within the storage unit 205 for some length oftime, and then, some hours or days later, the installation process isinitiated. At step 3, the process control unit 240 obtains a fingerprintof the file 302 where execution is now desired. This second fingerprintis compared with the fingerprint(s) stored earlier by the file loggingunit 220 and, when matched, returns the URL 300 identifying the sourcenetwork location 301 of this downloaded file 302. The obtained URL ismatched against the predetermined URLs in the system policy unit 230 atstep 4, thereby retrieving one of the predefined policies 305. At step5, the obtained policy 305 is applied by the process control unit 240.

As mentioned above, the process control unit 240 is suitably arranged toselectively allow, or block, the intended process based on theconditions set in the policy 305. That is, the process control unit 240is suitably configured to selectively allow the application to run orinstall on the computer device 200. Typically this may involve unpackingthe downloaded file 302, and deploying an application program into theruntime environment 203 including providing links between the downloadedsoftware application and supporting resources, such as libraries (e.g.DLLs), on the computer device 200.

FIG. 3 is a schematic diagram showing the example computer device inmore detail. Here, the computer device 200 includes a plurality ofresources 115, 125. These resources 115, 125 are the components of thecomputer device that the processes 120 will rely upon in order to carryout their execution. For example, the resources 115, 125 may includeinstalled software, system services, drivers, files and/or registrysettings.

In one example embodiment, the process control unit 240 may be arrangedto dynamically grant elevated execution privileges when specified by theprocess control policy 305, such as granting local administratorprivileges to the process 120 which allows access to resources 115, 125of the computer device 200 that would otherwise be restricted.Typically, the access rights of the local administrator are required inorder to successfully install a new software application.

As shown in FIG. 3, the operating system 202 may include a securitymodule (SECO) 206 which is provided to enforce security within thecomputer device 200. As one example, the security module 206 is providedby the Windows™ operating system as supplied by Microsoft Corp ofRedmond, Wash., USA, under the trademarks Windows NT, Windows 2000,Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, andWindows 7, amongst others. The security module 206, which also termed asecurity sub-system or security manager, suitably enacts the Windowssecurity model as described, for example, in “Windows Security Overview”published 10 Jun. 2011 by Microsoft Corporation.

Each process 120 that a user initiates will be run in a security context121 that derives access rights and permissions from the user's account.To this end, each process 120 is provided with an access token (AT) 122.The access token 122 typically carries the security identity (SID) ofthe user and SIDs of any other security groups to which the userbelongs. The access token 122 thus defines the privileges as held onthis host computer 200 by the user and the relevant security groups.

In the example embodiment, the security module 206 is arranged toperform an access check when a user process 120 requests access to anyof the resource 115, 125. The security module 206 performs the accesscheck by comparing the access token 122 of the process 120 against asecurity descriptor, such as an access control list (ACL) 116, 126,associated with the relevant resource 115, 125. Here, the access controllist 116, 126 is suitably a Discretionary Access Control List (DACL)which identifies SIDs of users and groups that are allowed, or denied,various types of access (read, write, etc.) as appropriate for thatresource.

Usually, the security module (SECO) 206 in the operating system 202 issufficient to prevent the user process 120 from inappropriatelyaccessing certain key resources 115, while allowing the user process 120to access appropriate user resources 125, according to the respectiveaccess control list 116, 126. For example, the user process 120 is ableto read from, but not write to, a file of the key resources 115.Typically, the defined access types will depend upon the type ofresource being accessed. For example, storage is typically defined byread and write access rights, while a process may have terminate accessrights which determine whether or not a request to terminate thatprocess will be actioned by the operating system 202. As noted above, auser-level security context 121 is based on the user as the securityprincipal and the access token 122 is set accordingly. Suitably, in asystem which adopts a least-privilege access model, the user-levelsecurity context 121 is deliberately restricted to a minimal set ofaccess rights.

In practice, it is common for a user to be included in a security group,such as the local administrator security group, so that applicationprograms desired by the user will install and operate correctly withoutneeding additional support from a higher-authorized user account (suchas IT administrator personnel). Where a user is included in such aprivileged security group, all of the user process 120 initiated by thatuser will then be granted the higher-level privilege rights, such aslocal administrator rights, indiscriminately. Thus, granting localadministrator rights, or similar higher privileges, generally allows alluser processes 120 to access many of the key resources 115 of thecomputer system, but in an indiscriminate manner. Hence, it is desiredto achieve the desired operation of the user processes, but withoutgranting local administrator rights indiscriminately to the user.

In this example, the process control unit 240 includes a privilegemanagement module (PPMAN) 110. This module 110 is arranged to performdynamic process privilege reassignment, whereby the user process 120 isexamined and selectively provided with an adjusted set of privileges.Typically, the privileges of the user process 120 are elevated above aninitial level. However, it is also possible to selectively degrade theprivilege level of a particular user process using the same adjustmentmechanism.

As shown in FIG. 3, the user process 120 is granted a privileged usersecurity context 121 a by the privilege management module 110. This canbe considered as a dynamic elevation of the privilege level of the userprocess 120, so that the specific user process 120 is able to achieve adesired, legitimate function which requires greater access rights thanwere available initially. The process 120 is to be elevated is providedwith a new access token 122 a, which is created based on the initialaccess token 122 of that process. As one example, the SID of the localadministrator group is added to this new access token 122 a, andconsequently the process 120 now obtains the privileges and integritylevel of the local administrator. The user process 120 is then assignedthe new access token 122 a, such as by stopping and restarting theprocess, and thus the privileged user security context 121 a is nowapplied to that user process 120.

FIG. 4 is a schematic diagram showing the example computer device 200 inmore detail. In particular, FIG. 4 shows internal components within theoperating system OS 202. In the example embodiment, the operating system202 is based on Windows NT and includes two main components, namely theuser mode 220 and the kernel mode 230. The user mode 220 includesintegral subsystems (INT SUB) 221 such as workstation service, serverservice and the security module 206 as discussed above. The user mode220 also includes environment subsystems (ENV SUB) 223 such as a Win32environment subsystem, a POSIX environment subsystem and an0S2environment subsystem to support user programs, including the userprocesses 120 as discussed above. These programs and subsystems in theuser mode 220 have limited access to system resources. Meanwhile, thekernel mode 230 has unrestricted access to the computer device,including system memory and external devices, etc. The kernel mode 230includes a hardware abstraction layer (HAL) 231 which interfaces withthe physical hardware H/S 201, and a plurality of services, whichtogether are termed the Executive 233. The Executive 233 may include anObject Manager (OBJ MAN) 235 and other services (EXE SERV) 237.

The object manager 235 is an executive subsystem which controls accessto objects. The object manager 235 considers each of the resources 115,125 as an object, including both physical resources such as storagedevice or peripheral devices and a logical resource such as files orcontainers. All other executive subsystems, including particularlysystem calls, pass through the object manager 235 in order to gainaccess to the resources 115, 125. In operation, the object manager 235creates and inserts new objects, which makes the object accessiblethrough a handle. Generally speaking, the handle is a unique numericalidentifier which identifies that object (resource) to the object manager235. Each object created by the object manager 235 is stored in anobject table, and each entry in the object table may include the objectname, security attributes, a pointer to its object type, and otherparameters. Typically, the operating system 202 is configured so thatevery request to access a resource passes through the object manager235.

FIG. 5 is a schematic diagram showing the example computer device inmore detail concerning an example hook module 310 and service module320. Here, the process control unit 240 of FIG. 2 may include the hookmodule 310 in order to intercept system calls made by the user processes120. Also, the system policy unit 230 of FIG. 2 may include the servicemodule 320.

As shown in FIG. 5, the example computer device 200 provides theexecution environment 203 to execute the user process 120 according tothe user security context 121. As noted above, the user security context121 ordinarily defines the access privileges of the user process 120with respect to the plurality of resources 115, 125 that are availablein the execution environment 203. A security unit 250 is arranged toselectively permit, or deny, access by the user process 120 to theplurality of resources 115, 125. In this example, the security unit 250includes the security module 206 and the object manager 235 as discussedabove.

In operation, the user process 120 makes a system call toward thesecurity unit 250 to request the creation of a new process within theexecution environment 203. In the example embodiment, the hook module310 is embedded within the user process 120. In one example, the hookmodule 310 is a DLL (dynamic linked library) component that hooks intoeach user process 120. The hook module 310 suitably hooks into the userprocess 120 as that process is started within the execution environment203. In the example embodiment, the hook module 310 is arranged tointercept all relevant system calls. In the Windows operating system,the Windows API (application programming interface) provides a set ofwell-defined system calls, including calls which relate to the creationof a new process.

The hook 310 is arranged to intercept the API call, and may thencommunicate with the service module 320 in order to determine therelevant policy 305 to be applied. The hook 310 and the service module320 may communicate by any suitable form of inter-process communication(IPC). In the example embodiments, the service module 320 executes in aprivileged security context 111. As an example, the service module 320may run in the privileged security context 111 of the SYSTEM account.Typically, this privileged security context 111 gives unrestrictedaccess to local resources.

The service module 320 is arranged to validate the request from the hook310 against the policies 305 as recorded in a policy table 330. In thisexample, the validation is based on the URL of the downloaded file 302,but may also include checking a file name of the user process 120, theowner of the process 120 (i.e. the user), or other suitable criteria.The policy table 330 provides a configurable mechanism to determinewhether or not the requested access will be permitted or denied. In anexample embodiment, non-exact matching is also permitted within thepolicy table 330, such as by wild card matching. In the exampleembodiment, the service module 320 suitably identifies whether or not apredetermined policy 305 exists with reference to this request, i.e.using the relevant fingerprint 303 of the file 302 as an index toretrieve the related source location URL 300, and using the retrievedURL 300 as an index to the respective policy 305.

In the example embodiments the WIN32 API functions will call theirnative API counterparts. Here the native API provides the interfacebetween the user mode 220 and the kernel mode 230 within the operatingsystem 202 as noted above. Therefore, in the example embodiments, thehook module 310 may be implemented by intercepting the Win32 API or thenative API functions. For example, a file can be created or openedthrough the Win32 API via the CreateFile function or through the nativeAPI via the ZwCreateFile and ZwOpenFile functions. Thus, the processcontrol module 240 of FIG. 2 can include the hook module 310 as a kerneldriver within the operating system 202. The process control module 240can also be configured to receive notifications from the operatingsystem when a new process is created, and then intercept the new processat that point.

In summary, the exemplary embodiments have described an improvedmechanism to control downloaded software files within a computer device.The industrial application of the exemplary embodiments will be clearfrom the discussion herein.

Although a few preferred embodiments have been shown and described, itwill be appreciated by those skilled in the art that various changes andmodifications might be made without departing from the scope of theinvention, as defined in the appended claims.

1-16. (canceled)
 17. A computer-implemented method for securely anddynamically managing privileges for computer processes associated withdownloaded files, the computer-implemented method comprising:generating, by a computer system, a runtime execution environment, theruntime execution environment comprising a restricted security context;launching, by the computer system, a process in the restricted securitycontext based on a downloaded file; generating, by the computer system,a runtime fingerprint of the downloaded file responsive to launching theprocess in the restricted security context; requesting, by the computersystem, from a file logging database stored outside of the restrictedsecurity context, a source address associated in the file loggingdatabase with a verification fingerprint of the downloaded file whichmatches with the runtime fingerprint; requesting, by the computersystem, from a process control policy database stored outside of therestricted security context, a process control policy associated in theprocess control policy database with a resource address which matcheswith the source address of the downloaded file as obtained from the filelogging database, wherein requesting the process control policy occursresponsive to receiving the requested source address; and dynamicallyelevating or degrading, by the computer system, responsive to receivingthe requested process control policy, execution privileges of theprocess in the restricted security context according to the processcontrol policy; wherein the computer system comprises a computerprocessor and electronic memory.
 18. The computer-implemented method ofclaim 17, further comprising: inserting a plug-in into a browser of thecomputer system, downloading a file to the computer system from a sourceaddress of the file using the browser; generating a verificationfingerprint of the file using the plug-in responsive to downloading thefile by the browser; and storing, by the plug-in, the verificationfingerprint and the source address in the file logging databaseresponsive to generating the verification fingerprint of the file. 19.The computer-implemented method of claim 17, wherein the downloaded filewas downloaded by the computer system.
 20. The computer-implementedmethod of claim 19, further comprising: generating, by the computersystem, the verification fingerprint of the downloaded file responsiveto downloading the file from the source address; and storing, by thecomputer system, in the file logging database, the verificationfingerprint indexed with the source address of the downloaded file. 21.The computer-implemented method of claim 17, further comprising:storing, by the computer system, in the file logging database, averification fingerprint and a source address for each of a plurality offiles which are downloaded by the computer system, responsive todownloading each of the plurality of files to the computer system; andrepeating the generating a runtime fingerprint, requesting a sourceaddress, and requesting a process control policy, responsive tolaunching each new process in the restricted security context, therebyselectively and dynamically elevating or degrading execution privilegesof one or more selected processes in the restricted security contextaccording to the execution control policy as applied to those selectedprocesses.
 22. The computer-implemented method of claim 17, wherein thecomputer system comprises the file logging database and the processcontrol policy database.
 23. The computer-implemented method of claim17, wherein dynamically elevating or degrading execution privileges ofthe process in the restricted security context comprises stopping theprocess, assigning a new security token to the process and restartingthe process with execution privileges designated by the new securitytoken.
 24. The computer-implemented method of claim 17, furthercomprising: embedding, by the computer system, a hook in a user processin the restricted security context; and intercepting, by the hook, asystem call from the user process to launch in the restricted securitycontext the process based on the downloaded file.
 25. A computerreadable, non-transitory storage medium having a computer program storedthereon for causing a suitably programmed computer system to process, byone or more processors, computer program code to perform a method forsecurely and dynamically managing privileges for computer processesassociated with downloaded files, the method comprising: generating, bythe computer system, a runtime execution environment, the runtimeexecution environment comprising a restricted security context;launching, by the computer system, a process in the restricted securitycontext based on a downloaded file; generating, by the computer system,a runtime fingerprint of the downloaded file responsive to launching theprocess in the restricted security context; requesting, by the computersystem, from a file logging database stored outside of the restrictedsecurity context, a source address associated in the file loggingdatabase with a verification fingerprint of the downloaded file whichmatches with the runtime fingerprint; requesting, by the computersystem, from a process control policy database stored outside of therestricted security context, a process control policy associated in theprocess control policy database with a resource address which matcheswith the source address of the downloaded file as obtained from the filelogging database, wherein requesting the process control policy occursresponsive to receiving the requested source address; and dynamicallyelevating or degrading, by the computer system, responsive to receivingthe requested process control policy, execution privileges of theprocess in the restricted security context according to the processcontrol policy; wherein the computer system comprises a computerprocessor and electronic memory.
 26. The computer readable,non-transitory storage medium of claim 25, wherein the method furthercomprises: inserting a plug-in into a browser of the computer system,downloading a file to the computer system from a source address of thefile using the browser; generating a verification fingerprint of thefile using the plug-in responsive to downloading the file by thebrowser; and storing, by the plug-in, the verification fingerprint andthe source address in the file logging database responsive to generatingthe verification fingerprint of the file.
 27. The computer readable,non-transitory storage medium of claim 25, wherein the downloaded filewas downloaded by the computer system.
 28. The computer readable,non-transitory storage medium of claim 27, wherein the method furthercomprises: generating, by the computer system, the verificationfingerprint of the downloaded file responsive to downloading the filefrom the source address; and storing, by the computer system, in thefile logging database, the verification fingerprint indexed with thesource address of the downloaded file.
 29. The computer readable,non-transitory storage medium of claim 25, wherein the method furthercomprises: storing, by the computer system, in the file loggingdatabase, a verification fingerprint and a source address for each of aplurality of files which are downloaded by the computer system,responsive to downloading each of the plurality of files to the computersystem; and repeating the steps of generating a runtime fingerprint,requesting a source address, and requesting a process control policy,responsive to launching each new process in the restricted securitycontext, thereby selectively and dynamically elevating or degradingexecution privileges of one or more selected processes in the restrictedsecurity context according to the execution control policy as applied tothose selected processes.
 30. The computer readable, non-transitorystorage medium of claim 25, wherein the computer system comprises thefile logging database and the process control policy database.
 31. Thecomputer readable, non-transitory storage medium of claim 25, whereindynamically elevating or degrading execution privileges of the processin the restricted security context comprises stopping the process,assigning a new security token to the process and restarting the processwith execution privileges designated by the new security token.
 32. Thecomputer readable, non-transitory storage medium of claim 25, whereinthe method further comprises: embedding, by the computer system, a hookin a user process in the restricted security context; and intercepting,by the hook, a system call from the user process to launch in therestricted security context the process based on the downloaded file.33. A computer system for securely and dynamically managing privilegesfor computer processes associated with downloaded files, the computersystem comprising: a computer processor and an electronic storagemedium, the computer processor configured to: generate a runtimeexecution environment, the runtime execution environment comprising arestricted security context, launch a process in the restricted securitycontext based on a downloaded file, generate a runtime fingerprint ofthe downloaded file responsive to launching the process in therestricted security context, request, from a file logging databasestored outside of the restricted security context, a source addressassociated in the file logging database with a verification fingerprintof the downloaded file which matches with the runtime fingerprint,request, from a process control policy database stored outside of therestricted security context, a process control policy associated in theprocess control policy database with a resource address which matcheswith the source address of the downloaded file as obtained from the filelogging database, wherein requesting the process control policy occursresponsive to receiving the requested source address, and dynamicallyelevate or degrade, responsive to receiving the requested processcontrol policy, execution privileges of the process in the restrictedsecurity context according to the process control policy.
 34. Thecomputer system of claim 33, wherein the computer processor is furtherconfigured to: insert a plug-in into a browser of the computer system,download a file to the computer system from a source address of the fileusing the browser, generate a verification fingerprint of the file usingthe plug-in responsive to downloading the file by the browser, andstore, by the plug-in, the verification fingerprint and the sourceaddress in the file logging database responsive to generating theverification fingerprint of the file.
 35. The computer system of claim33, wherein the computer processor is further configured to: generatethe verification fingerprint of the downloaded file responsive todownloading the file from the source address, and store, in the filelogging database, the verification fingerprint indexed with the sourceaddress of the downloaded file.
 36. The computer system of claim 33,wherein the computer processor is further configured to: store, in thefile logging database, a verification fingerprint and a source addressfor each of a plurality of files which are downloaded by the computersystem, responsive to downloading each of the plurality of files to thecomputer system; and repeat the generate a runtime fingerprint, requesta source address, and request a process control policy, responsive tolaunching each new process in the restricted security context, therebyselectively and dynamically elevating or degrading execution privilegesof one or more selected processes in the restricted security contextaccording to the execution control policy as applied to those selectedprocesses.